[MPlayer-users] When do I *have to* update MPlayer?

[Manuel Reimer]

Carl Eugen Hoyos wrote:
>> Is this version vulnerable to serious security holes?
>
> At least one such exploit is known, yes.
> (Search for "assisted discovery of vulnerabilities yamaguchi")

Seems to be:
http://www.usenix.org/events/woot11/tech/final_files/Yamaguchi.pdf

But this (in my opinion) has a few restrictions if it gets to code execution. Is 
this really a dangerous hole which could be exploited from web if MPlayer is 
used inside the browser?

> It is said not to be reproducible with current MPlayer svn.

So anything but the current SVN is vulnerable to a security hole where it is 
known that code execution will work?

>> When do I *have to* update my MPlayer? I'm using MPlayer inside my browser!
>
> I think you are the only one who can answer that.

I only want to update if there is a reason for that. My idea was to trust the 
distributor (Slackware in this case) but as updates are really rare on 
Slackware, I feared to be actually vulnerable to something, so I asked here.

Is it possible to harden MPlayer? I don't need a player which plays anything but 
the kitchen sink. It would be enough to be able to play the common formats used 
on websites.

> I may misunderstand the question: Whenever you update MPlayer, FFmpeg is also
> updated. So whenever FFmpeg receives (for you) important updates, you should
> update MPlayer.

Is it possible to separate both and have FFMPEG as separate dynamically linked 
library?

Why was there no announcement about the possible security problem on the 
"announce" list? Why don't you roll a new release if the old one has a known hole?

Yours

Manuel